Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTML/Iframe.B.Gen virus


  • This topic is locked This topic is locked
16 replies to this topic

#1 NSSHelp

NSSHelp

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 07 August 2014 - 08:09 AM

I have run eset online scanner tool and it identifies problem as HTML/Iframe.B.Gen virus and JS/Exploit.Agent.NHC trojan.  The eset tool never completes its scan.  I have run Malwarebyte's and Rogue Killer.  Each removed some other malware but repeating those scans don't find anything now.  PC is very slow.  I have attempted to run CCleaner and it never completes it's analysis when scanning for temporary Internet files.  This is an office PC.  QS1 and Integra/Docutrack are legit applications.

 

Thanks for any help provided. 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
Internet Explorer: 8.0.7601.17514
Run by NSSUser at 8:48:44 on 2014-08-07
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3998.1045 [GMT -4:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\mfevtps.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files (x86)\Task Killer\TaskKiller.exe
C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScannerApp.exe
C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = hxxp://dell13-comm.msn.com
mStart Page = about:blank
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20140806100929.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
uPolicies-Explorer: TaskbarNoNotification = dword:0
uPolicies-Explorer: HideSCAHealth = dword:0
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: TaskbarNoNotification = dword:0
mPolicies-Explorer: HideSCAHealth = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-Explorer: TaskbarNoNotification = dword:0
mPolicies-Explorer: HideSCAHealth = dword:0
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: 192.168.1.230
Trusted Zone: 192.168.1.230
TCP: Interfaces\{6AD0F3FB-9004-4366-A08B-D74ECC25248A} : NameServer = 75.75.75.75,8.8.8.8
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.125\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = about:blank
x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20140806100929.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe
x64-Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [IAStorIcon] "C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe" "C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" 60
x64-RunOnce: [DBRMTray] C:\Dell\DBRM\Reminder\TrayApp.exe
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\NSSUser\AppData\Roaming\Mozilla\Firefox\Profiles\6fkqcw3s.default\
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - ExtSQL: 2014-08-06 10:09; {D19CA586-DD6C-4a0a-96F8-14644F340D60}; C:\Program Files (x86)\Common Files\McAfee\SystemCore
FF - ExtSQL: 2014-08-06 13:46; firefox-hotfix@mozilla.org; C:\Users\NSSUser\AppData\Roaming\Mozilla\Firefox\Profiles\6fkqcw3s.default\extensions\firefox-hotfix@mozilla.org.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 iaStorA;iaStorA;C:\Windows\System32\drivers\iaStorA.sys [2013-7-15 667496]
R0 iaStorF;iaStorF;C:\Windows\System32\drivers\iaStorF.sys [2013-7-15 28008]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2014-8-6 782968]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2014-8-6 344176]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2014-8-6 185280]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-11-6 539240]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-12-9 240640]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2013-7-15 14696]
S2 IntegraTransferService;Integra Transfer Service;C:\Program Files (x86)\Integra\Deployment\Bin\IS.WM.Deployment.ServiceProviders.IntegraTransferService.exe [2010-3-4 8704]
S2 IntegraUpdateService;Integra Update Service;C:\Program Files (x86)\Integra\Deployment\Bin\IS.WM.Deployment.ServiceProviders.IntegraUpdateService.exe [2010-3-4 9216]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2013-5-11 733696]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2012-11-6 169432]
S2 KjsUpdateService2;AppLife Update Service 2.0;C:\Program Files (x86)\Common Files\AppLifeUpdateService2\kjsausvc.exe [2011-8-2 12800]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-8-5 1809720]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-8-5 860472]
S2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2013-6-25 130080]
S2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2014-8-6 242448]
S2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe [2014-1-15 208416]
S2 QIA;QS/1 Install Agent;C:\QS1\QIA\Qia.exe [2013-2-19 546184]
S2 SAService;Conexant SmartAudio service;C:\Windows\System32\SAsrv.exe --> C:\Windows\System32\SAsrv.exe [?]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2013-12-9 96768]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [2013-6-9 169752]
S3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-3-9 342528]
S3 Intel® Capability Licensing Service TCP IP Interface;Intel® Capability Licensing Service TCP IP Interface;C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [2013-5-11 822232]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-8-5 25816]
S3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-8-5 63704]
S3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2014-8-6 311600]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2014-8-6 107032]
S3 netvsc;netvsc;C:\Windows\System32\drivers\netvsc60.sys [2010-11-21 168448]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-2-15 19456]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 SynthVid;SynthVid;C:\Windows\System32\drivers\VMBusVideoM.sys [2010-11-21 22528]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-2-15 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-2-15 30208]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-08-06 14:15:19    --------    d-----w-    C:\QUARANTINE
2014-08-06 14:10:11    --------    d-----w-    C:\Users\NSSUser\AppData\Roaming\McAfee
2014-08-06 14:09:29    94080    ----a-w-    C:\Windows\SysWow64\MfeOtlkAddin.dll
2014-08-06 14:09:29    25088    ----a-w-    C:\Windows\SysWow64\MFEOtlk.dll
2014-08-06 14:09:29    121896    ----a-w-    C:\Windows\System32\MfeOtlkAddin.dll
2014-08-06 14:09:26    11208    ----a-w-    C:\Windows\System32\drivers\mfeclnk.sys
2014-08-06 14:09:26    107032    ----a-w-    C:\Windows\System32\drivers\mferkdet.sys
2014-08-06 14:09:24    180272    ----a-w-    C:\Windows\System32\drivers\mfeapfk.sys
2014-08-06 14:09:23    311600    ----a-w-    C:\Windows\System32\drivers\mfeavfk.sys
2014-08-06 14:09:20    782968    ----a-w-    C:\Windows\System32\drivers\mfehidk.sys
2014-08-06 14:08:17    344176    ----a-w-    C:\Windows\System32\drivers\mfewfpk.sys
2014-08-06 14:08:16    185280    ----a-w-    C:\Windows\System32\mfevtps.exe
2014-08-06 14:08:14    --------    d-----w-    C:\Program Files\Common Files\McAfee
2014-08-06 14:07:10    --------    d-----w-    C:\Program Files (x86)\McAfee
2014-08-06 14:07:10    --------    d-----w-    C:\Program Files (x86)\Common Files\McAfee
2014-08-06 14:01:31    --------    d-----w-    C:\Windows\System32\appmgmt
2014-08-06 14:00:49    --------    d-----w-    C:\Windows\System32\Debug
2014-08-06 13:35:02    30312    ----a-w-    C:\Windows\System32\drivers\TrueSight.sys
2014-08-05 20:10:06    29160    ----a-w-    C:\Windows\SysWow64\drivers\TrueSight.sys
2014-08-05 20:10:04    --------    d-----w-    C:\ProgramData\RogueKiller
2014-08-05 20:05:54    --------    d-----w-    C:\TDSSKiller_Quarantine
2014-08-05 17:04:44    --------    d-----w-    C:\Users\NSSUser\AppData\Local\Integra_Specialty_Care_Sy
2014-08-05 16:48:03    --------    d-----w-    C:\Program Files (x86)\Common Files\AppLifeUpdateService2
2014-08-05 16:36:22    --------    d-----w-    C:\Users\NSSUser\AppData\Local\CrashDumps
2014-08-05 15:11:37    --------    d-----w-    C:\Program Files\CCleaner
2014-08-05 15:09:09    --------    d-----w-    C:\Program Files (x86)\ESET
2014-08-05 14:45:12    122584    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-08-05 14:44:19    91352    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-08-05 14:44:19    63704    ----a-w-    C:\Windows\System32\drivers\mwac.sys
2014-08-05 14:44:19    25816    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-08-05 14:44:19    --------    d-----w-    C:\ProgramData\Malwarebytes
2014-08-05 14:44:19    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-08-05 14:44:02    --------    d-----w-    C:\Users\NSSUser\AppData\Local\Programs
2014-08-05 09:33:52    --------    d-----w-    C:\Users\NSSUser\AppData\Roaming\36e4f2
2014-08-05 09:33:39    --------    d-----w-    C:\Users\NSSUser\AppData\Local\36e4f2
2014-08-05 09:33:09    --------    d-----w-    C:\Users\NSSUser\AppData\Local\browser_dir
2014-07-29 07:27:10    --------    d-----w-    C:\ProgramData\OkikaHanec
2014-07-28 16:32:38    87200    ----a-w-    C:\ProgramData\wrnhoah.tmp
2014-07-28 16:32:35    530432    --sh--w-    C:\Windows\SkypeUpdater.exe
.
==================== Find3M  ====================
.
2014-07-09 00:16:16    71344    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-07-09 00:16:16    699056    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
.
============= FINISH:  8:56:21.57 ===============
 

 

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 07 August 2014 - 08:30 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

Please upload attach.txt as well and do the following:

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 NSSHelp

NSSHelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 07 August 2014 - 09:40 AM

Thank you for the quick reply, Marius. 

 

GMER scan returned "GMER hasn't found any system modification."

 

I have attached attach.txt.  Not sure why it didn't attach to first post. Attached File  attach.txt   1.27KB   1 downloads



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 08 August 2014 - 06:48 AM

Is this an enterprise/business machine?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 NSSHelp

NSSHelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 08 August 2014 - 07:39 AM

Yes, it is. 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 08 August 2014 - 09:21 AM

This issue has to be fixed by your IT department.

If you are a small business without an own IT, we´ll certainly provide further support.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 NSSHelp

NSSHelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 08 August 2014 - 09:25 AM

Well, I am the IT dept for my company.  So far I haven't been able to remove it. 



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 08 August 2014 - 09:32 AM

:D okay!

 

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 NSSHelp

NSSHelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 08 August 2014 - 10:56 AM

Thanks for helping!  Combofix is running and has been at "Completed Stage_4" for about an hour.  Should I continue to wait for it to complete?  Currently running Windows in safe mode. 



#10 NSSHelp

NSSHelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 11 August 2014 - 08:49 AM

I let ComboFix run all weekend.  Here is a screen shot of it's progress as of this morning. Attached File  combofix_screenshot.jpg   100.34KB   0 downloads



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 12 August 2014 - 06:14 AM

Hello there,

 

did it finish now?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 NSSHelp

NSSHelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 12 August 2014 - 08:34 AM

It was still at that same point as of 5 pm yesterday.  I had to swap the PC for a working one for the user so I had to shut down the infected PC to move it.   I have it in my own office now so I can work on it more conveniently.  Do you want me to start the ComboFix scan again?  Awaiting your instructions. 



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 12 August 2014 - 08:42 AM

Use the Windows Error Checking utility (Check Disk), with the options to fix file system errors and scan the disk surface for errors, attempt recovery of data and repair the disk:

  • Click the "Windows Orb" Start button, then click Computer.
  • Right-click on the drive that you wish to check > Properties > Tools tab
  • In the "Error checking" section, click on Check now.
  • Place a checkmark in both boxes > Start.
  • If the disk you have chosen is the Windows system disk:
  • A message will notify you that a restart is necessary ask "Do you want to check for hard disk errors the next time you start your computer?".
  • Click Schedule disk check > OK and close all windows.
  • Re-start the computer. The disk will be checked when the system boots.
  • This will take some time to run and at times may appear stalled but just let it run.
  • When the disk check is complete, the system will re-start automatically and load Windows.


A log of the disk check is recorded only if the scheduled re-start is used, and only for drives on the same HDD as the Operating System.
To open Event Viewer and view the log:

  • Click the "Windows Orb" Start button -> type "eventvwr" without the quotes -> press the key.
  • The Event Viewer window will open.
  • In the left pane, expand "Windows Logs" and then click on Application.
  • In the right pane, at the top, click on the column heading Source to sort the list alphabetically.
  • Look in the Source column for "Wininit", with an entry corresponding to the date and time of the disk check.
  • Click on that Wininit entry to select it.
  • On the top main menu, click Action > Copy > Copy Details as Text.
  • Paste the contents into your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 NSSHelp

NSSHelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 13 August 2014 - 12:57 PM

Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          8/13/2014 1:47:10 AM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Pharmacy21-7P
Description:


Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.

A disk check has been scheduled.
Windows will now check the disk.                         

CHKDSK is verifying files (stage 1 of 5)...
  8891136 file records processed.                                         

File verification completed.
  281 large file records processed.                                   

  0 bad file records processed.                                     

  2 EA records processed.                                           

  44 reparse records processed.                                      

CHKDSK is verifying indexes (stage 2 of 5)...
  8932146 index entries processed.                                        

Index verification completed.
  0 unindexed files scanned.                                        

  0 unindexed files recovered.                                      

CHKDSK is verifying security descriptors (stage 3 of 5)...
  8891136 file SDs/SIDs processed.                                        

Cleaning up 993 unused index entries from index $SII of file 0x9.
Cleaning up 993 unused index entries from index $SDH of file 0x9.
Cleaning up 993 unused security descriptors.
CHKDSK is compacting the security descriptor stream
  20506 data files processed.                                           

CHKDSK is verifying Usn Journal...
  35659200 USN bytes processed.                                            

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
  8891120 files processed.                                                

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  70199952 free clusters processed.                                        

Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

 472424447 KB total disk space.
 179581140 KB in 8660016 files.
   3035420 KB in 20509 indexes.
         0 KB in bad sectors.
   9008079 KB in use by the system.
     65536 KB occupied by the log file.
 280799808 KB available on disk.

      4096 bytes in each allocation unit.
 118106111 total allocation units on disk.
  70199952 allocation units available on disk.

Internal Info:
00 ab 87 00 56 74 84 00 56 7d 08 01 00 00 00 00  ....Vt..V}......
71 04 00 00 2c 00 00 00 00 00 00 00 00 00 00 00  q...,...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="16384">1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-08-13T05:47:10.000000000Z" />
    <EventRecordID>9916</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>Pharmacy21-7P</Computer>
    <Security />
  </System>
  <EventData>
    <Data>

Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.

A disk check has been scheduled.
Windows will now check the disk.                         

CHKDSK is verifying files (stage 1 of 5)...
  8891136 file records processed.                                         

File verification completed.
  281 large file records processed.                                   

  0 bad file records processed.                                     

  2 EA records processed.                                           

  44 reparse records processed.                                      

CHKDSK is verifying indexes (stage 2 of 5)...
  8932146 index entries processed.                                        

Index verification completed.
  0 unindexed files scanned.                                        

  0 unindexed files recovered.                                      

CHKDSK is verifying security descriptors (stage 3 of 5)...
  8891136 file SDs/SIDs processed.                                        

Cleaning up 993 unused index entries from index $SII of file 0x9.
Cleaning up 993 unused index entries from index $SDH of file 0x9.
Cleaning up 993 unused security descriptors.
CHKDSK is compacting the security descriptor stream
  20506 data files processed.                                           

CHKDSK is verifying Usn Journal...
  35659200 USN bytes processed.                                            

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
  8891120 files processed.                                                

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  70199952 free clusters processed.                                        

Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

 472424447 KB total disk space.
 179581140 KB in 8660016 files.
   3035420 KB in 20509 indexes.
         0 KB in bad sectors.
   9008079 KB in use by the system.
     65536 KB occupied by the log file.
 280799808 KB available on disk.

      4096 bytes in each allocation unit.
 118106111 total allocation units on disk.
  70199952 allocation units available on disk.

Internal Info:
00 ab 87 00 56 74 84 00 56 7d 08 01 00 00 00 00  ....Vt..V}......
71 04 00 00 2c 00 00 00 00 00 00 00 00 00 00 00  q...,...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
  </EventData>
</Event>



#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 14 August 2014 - 05:01 AM

Please reboot into safe mode and run Combofix again.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users